f333982c6245780bb4542cde1e9c82a56d101a1a3d2307540f63faa1085b3e23

General

Target

commenti_14032023.doc
Size

504.4MB
MD5

a60c5f8e3e97ac22ed1484ade4dc235f
SHA1

fa53b5c04ace548962a1bb7b052672121b195440
SHA256

990a8caa38d771d929f285f7c8594e9ef90163dadc9489b1f43f165e45e05f5e
SHA512

64bb398b405941de8f63adec045ffdb01ca6f0ca555f0fbed4aaf88c0585ac6f0b49ca0eec7594255da9c4576278fcfb1f9847f7bfc7788d8ee196e8e1e9e8dc
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1528	1292	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1528 regsvr32.exe
1912 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1528	regsvr32.exe
1912	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1292 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1912 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

WINWORD.EXE

pid process

1292 WINWORD.EXE
1292 WINWORD.EXE
1292 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1292 WINWORD.EXE
1292 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1292	WINWORD.EXE

pid	process
1912	regsvr32.exe

pid	process
1292	WINWORD.EXE
1292	WINWORD.EXE
1292	WINWORD.EXE

pid	process
1292	WINWORD.EXE
1292	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 1292 wrote to memory of 2036	1292	WINWORD.EXE	splwow64.exe
PID 1292 wrote to memory of 2036	1292	WINWORD.EXE	splwow64.exe
PID 1292 wrote to memory of 2036	1292	WINWORD.EXE	splwow64.exe
PID 1292 wrote to memory of 2036	1292	WINWORD.EXE	splwow64.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1292 wrote to memory of 1528	1292	WINWORD.EXE	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1912	1528	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commenti_14032023.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2036

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\152536.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\152536.tmp"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XgAFpRAtiywCheXQ\FLsAlrVorr.dll"
4⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\152536.tmp
Filesize
458.6MB

MD5
a37875b79c9bbde379c5454cbedfd007

SHA1
09fb850b77e3404476bce10178bacd53b1668d8c

SHA256
f20e4831fa384b8a29e9ceed5a87f512a2c0726ac1a7b1f1fe7d4fdfbafd3414

SHA512
04745d504cdf6a6610affbe7753668e96380ed6d11dd376f7375a298e91efbf07000c5f410c2a405e874f12a9ce26fd1c9c708e09d6b95ec31553ff61065ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\152541.zip
Filesize
843KB

MD5
b2034e76b8c3ae360fd5cab92d1b5ad2

SHA1
e9c111cb4880e85bda5f89ee7ef2edbdab6643f5

SHA256
ce3b4b4859b3d0eeb960353926c62c908a2f4797715b60b3a87ab7f9439b411a

SHA512
63ef8c2d4949d008a49ce847cee6203022a54d4151075565137658854ff7f9b2764991ce9f81a4ae8e6e92a866c467098d4814837fdcdb7193ebc981efa477bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
cdbca4c4aff684746f5f367d0d59cb94

SHA1
6cdb4afaffa8598b3f533e0a6c8d8bad43d6e3b1

SHA256
2fe708abd3ba13a4fde80c65cce076688b49c35371799edc97b6077c9b0799e3

SHA512
c812fa43b0006871de91a5e7ae888e0beffdec742c2e9a5089897bd91767d21e781f02fd85ef72ac0010c9f1fdea3be5d92b1370ff7d2af9f56f5dc4fc824817

Download Submit
\Users\Admin\AppData\Local\Temp\152536.tmp
Filesize
446.8MB

MD5
ab1aece1efd0c5b2481fcbc735a59ad4

SHA1
1edaad4553cf1df301be8623298268f6b89b6c64

SHA256
8776aabba421b976e5c13258f09d6754db4999f0d57f19b8acc7f07922334e15

SHA512
837752ef9d9e5e6be1bc4d7da5e10e954b86d972bfc27449430556bae9b0b6773f2a0615bd1b666bcd08567443baed4397d5017b7f3f9a0a36e5a110be369ad8

Download Submit
\Users\Admin\AppData\Local\Temp\152536.tmp
Filesize
387.5MB

MD5
1ecd65ad83897927ee1a89b37898e77e

SHA1
80307d8c0c296c61531a2244f5d9729cbabca4c2

SHA256
5b638ecd15dc93808b983349f00127815e0a1ec50b5d3a1f1b812ff8fd99dd1b

SHA512
34f60120bea9e1a7a3741205f4646570e5964d1aa1ca6b418cf4776c5f4dd73f0c00620da1a733650811cb039cfddbd35b2e9a681804e7317a7569f464faa8a9

Download Submit
memory/1292-95-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-87-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-86-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-105-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-90-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-91-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-92-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-89-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-88-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-94-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-98-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-99-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-97-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-100-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-101-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-109-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-104-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-102-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-96-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-1744-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1292-85-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-103-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-108-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-107-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-106-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-115-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-116-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-114-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-113-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-112-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-111-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-110-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-139-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-84-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-1481-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1292-83-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-82-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-81-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-80-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1292-93-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1700-1745-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1912-1739-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads